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DETAILED ACTION 
EXAMINER'S AMENDMENT 

1 . An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Joe Christian on 7/26/2005. 

The application has been amended as follows: 
Claim 1 : A method enabling a network-addressable device to detect use of its 
identity by a spoofing vandal, comprising the acts of: 

receiving a message by the network-addressable device from a target of a 
denial of service-attack by the spoofing vandal, said attack comprising a denial of 
service communication sent by the spoofing vandal to the target; 

detecting, by the network-addressable device, a communication protocol 
violation consequent to the message, wherein the communication protocol violation is 
indicative of the denial of service attack on the target by the spoofing vandal using an 
identity of the network-addressable device in the denial of service communication,-sei4 
the detecting of the communication protocol violation , being performed after-said the 
receiving of the message bv the network-addressable device has been performed; and 
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generating, by the network-addressable device, a spoofing alert responsive to 
the act of detecting the communication protocol violation. 



Claim 22: A method enabling a network-addressable device to detect use of its 
identity by a spoofing vandal, comprising the acts of: 

receiving a message by the network-addressable device from a target of a 
denial of service attack by the spoofing vandal, said attack comprising a denial of 
service communication sent by the spoofing vandal to the target; 

detecting, by the network-addressable device, a communication protocol 
violation consequent to the message, wherein the communication protocol violation is 
indicative of the denial of service attack on the target by the spoofing vandal using the 
identity of the network-addressable device in the denial of service communication, oo i d 
the detecting of the communication protocol violation being performed after «ai€l- the 
receiving of the message has been performed; 

recording attributes of the message; 

advancing the value of a counter associated with the target; 

comparing the value of the counter with a predetermined threshold; 

generating a spoofing alert when a result of said comparing is that the value 
of the counter exceeds the threshold, said recording, advancing, comparing, and 
generating being performed by the network-addressable device. 
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Allowable Subject Matter 

2. Claims 1-3, 7-8, 10-12, 15, 17-19, 22-30 are allowed. 

3. The following is an examiner's statement of reasons for allowance: 

3.1 Referring to the independent claims 1 and 22, Sherer discloses a medium 
access control address authentication (see abstract and Fig. 4). Sherer teaches a 
plurality of ports adapted for connection to respective MAC layer devices includes 
storing authentication data in the star configured interconnection device that maps MAC 
addresses of end stations in the network to particular ports on the star configured 
interconnection device. Upon receiving a packet on a particular port, the process 
involves determining whether the packet carries a source address, which the 
authentication data maps to the particular port. If the packet carries a source address, 
which the authentication data maps to the particular port, then the packet is accepted. If 
the packet does not carry a source MAC address, which the authentication maps to the 
port, then an authentication protocol is executed on the port to determine whether the 
MAC address originates from an authorized sender according to the authentication 
protocol (see abstract). According to Sherer, network devices learn the segments of 
the network on which to find certain MAC addresses. Thus, by using the MAC address 
of another device, an end station is capable of fooling the network so that packets 
destined to the end station that it is mimicking, are routed to the mimic. An unscrupulous 
user spoofing another packet can introduce unwanted data such as computer viruses 
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into a packet stream being transmitted from the end station, or hijack a user's network 
session and gain unauthorized access to other system resources (see column 1, lines 
50-65). 

3.2 Sherer, however, does not teach detecting, by the network-addressable device , 
a communication protocol violation indicative of the denial of service attack on the target 
by the spoofing vandal using an identity of the network-addressable device in the denial 
of service communication. 

Referring to the independent claims 1 and 22, Glawitsch discloses a system for 

preventing spoofed denial of service attack in networked computing environment (see 
abstract). Glawitsch teaches generating a request acknowledgement packet with 
checksum as pseudo sequence number and source address in request packet as 
destination address. Comparison of the check sums serves as indication of the denial of 
service attack (see abstract and Fig. 8). Glawitsch, however, does not teach or suggest 
the denial of service attack on the target by the spoofing vandal using an identity of the 
network-addressable device. 

3.3 Neither Sherer nor Glawitsch teach or suggest generating by the network- 
addressable device a spoofing alert. Referring to the instant claim, Franz teaches 
generating spoof control packet, setting the alerts and discarding the packets (see 
abstract and Fig. 3, blocks 340 and 399). However, combination of Sherer with 
Glawitsch and with Franz does not render the instant claims obvious, because of the 
deficiencies of Sherer and Glawitsch indicated above (see paragraph 3.1-.3.2). 

4. In view of the reasons presented herein, claims 1-3, 7-8, 10-12, 15, 17-19, 22-30 
are in condition for allowance. 



Application/Control Number: 09/849,697 



Pages 



Art Unit: 2132 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Grigory Gurshman whose telephone number is 
(571 )272-3803. The examiner can normally be reached on 9 AM-5:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on (571)272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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